Podcasts
CyberWire Daily
Ep 2089
The CyberWire Daily Podcast 6.14.24
Ep 2089 | 6.14.24

A hacking keeps you humble.

Show Notes
Transcript

Microsoft’s President admits security failures in congressional testimony. Paul Nakasone joins OpenAI’s board. The feds hold their first AI tabletop exercise. CISA reports on the integration of space-based infrastructure. Cleveland city hall remains closed after a cyber attack. Truist commercial bank confirms a data breach. Rockwell Automation patches three high-severity vulnerabilities. University of Illinois researchers develop autonomous AI hacking agents. Arynn Crow, Sr Manager of AWS User Authentication Products, talks with N2K’s Brandon Karpf about security through MFA and FIDO Alliance passkeys, and her work on the Digital Identity Advancement Foundation. Can an AI run for mayor?

Today is Friday June 14th, 2024 - Flag Day here in the good old U.S of A. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft’s President admits security failures in congressional testimony.

In congressional testimony yesterday, Microsoft President Brad Smith admitted security failings that enabled Chinese state hackers to access emails of US officials in 2023. Smith accepted responsibility for issues cited in a Cyber Safety Review Board (CSRB) report. The report blamed Microsoft for security failures that let Chinese hackers, Storm-0558, access 25 organizations' email accounts, including US officials.

The hackers used a Microsoft encryption key and exploited flaws in the authentication system to gain global access to Exchange Online accounts. The CSRB found an inadequate security culture and gaps in Microsoft's security processes.

Smith acknowledged Microsoft's crucial cybersecurity role and the increased cyber threats from geopolitical conflicts. He apologized to those impacted by the Storm-0558 attack and outlined steps Microsoft is taking to enhance security. This includes implementing CSRB recommendations, transitioning to a new key management system, and enhancing token validation processes.

Smith added that Microsoft has added security engineers and created the Office of the CISO to ensure security is prioritized. The company’s Secure Future Initiative aims to design and operate products with security in mind.

Following harsh feedback from security experts, Microsoft has delayed its Recall AI feature for further security testing. This feature, intended for Copilot and Windows PCs, faced privacy concerns for recording users' activities. The roll-out will now start with the Windows Insider Program for additional testing.

Paul Nakasone joins OpenAI’s board. 

OpenAI has appointed former NSA director Paul M. Nakasone to its board of directors. Nakasone will join the Safety and Security Committee, established to improve model testing and curb abuse. This move follows CEO Sam Altman's temporary ousting and aims to address security criticisms, including allegations of prioritizing profits over safety.

Nakasone's appointment comes as OpenAI faces scrutiny over its security practices and increased efforts to enhance transparency and hire more security engineers. The company has lifted a ban on using its products for military purposes, allowing uses aligned with its values.

Nakasone's military expertise aligns with tech companies increasingly seeking such backgrounds for navigating a tougher regulatory environment and advancing government relations.

The feds hold their first AI tabletop exercise. 

On Thursday, the federal government held its first tabletop exercise focused on artificial intelligence (AI) incident response, led by the Cybersecurity and Infrastructure Security Agency (CISA) under the Joint Cyber Defense Collaborative. The exercise included 50 AI experts from 15 companies and several international cyber defense agencies. This initiative is part of the Biden administration's efforts to mitigate AI risks as companies like Microsoft push for AI-enabled products.

The exercise aimed to understand AI-related cybersecurity incidents, improve information-sharing, and enhance collaboration between industry and government. CISA plans to release an AI security incident collaboration playbook by the end of 2024, detailing AI-specific incident response coordination. Participating organizations included the FBI, NSA, and international cyber security centers.

CISA reports on the integration of space-based infrastructure. 

CISA has released a report emphasizing the growing integration of satellites, spacecraft, and their ground-based infrastructure into our daily lives. My N2K colleague Maria Varmazis has the story.

For more space news, be sure to check out the T-minus daily space podcast, right here on the N2K Cyberwire network. 

Rounding out news from CISA, the agency added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-32896 (Android Pixel Privilege Escalation), CVE-2024-26169 (Microsoft Windows Error Reporting Service Improper Privilege Management), and CVE-2024-4358 (Progress Telerik Report Server Authentication Bypass). Federal agencies must address these vulnerabilities by July 4, 2024.

Globe Life investigates a possible web portal breach. 

American financial services company Globe Life announced that attackers may have accessed consumer and policyholder data through a breached web portal. The incident was discovered on June 13 during a security review prompted by a state insurance regulator's inquiry. Globe Life quickly removed external access to the portal and believes the issue is isolated to this portal, with other systems remaining operational. The company activated its incident response plan and hired external security experts to assess and remediate the breach. As the investigation continues, the full impact is unknown, but operations have not been materially affected.

Cleveland city hall remains closed after a cyber attack. 

Cleveland City Hall remains closed due to a cyber incident that has disrupted city systems for six days. Residents can't access services like birth and death certificates or building permits. Local reporters spoke with Eneida Vazquez, needing her baby’s birth certificate for travel, was frustrated by the closure but obtained the document in nearby Lakewood. Cleveland officials say they are working to restore systems and has contained the threat. The timeline for City Hall reopening remains unclear.

Truist commercial bank confirms a data breach. 

U.S. commercial bank Truist confirmed a breach in its systems from an October 2023 cyberattack. A threat actor, known as Sp1d3r, posted Truist’s data for sale on a hacking forum, claiming to have information on 65,000 employees, bank transactions, and IVR funds transfer source code.

Truist, formed from the 2019 merger of SunTrust Banks and BB&T, quickly contained the breach, secured systems with outside consultants, and notified affected clients. The ongoing investigation has found no evidence of fraud. Truist denies any connection to the recent Snowflake incidents. 

Rockwell Automation patches three high-severity vulnerabilities. 

Rockwell Automation has patched three high-severity vulnerabilities in its FactoryTalk View Site Edition (SE) HMI software, identified internally. Two vulnerabilities (CVE-2024-37368 and CVE-2024-37367) involve user authentication issues allowing unauthorized remote access, while the third (CVE-2024-37369) is a local privilege escalation flaw. The issues are resolved in version 14. Additionally, Rockwell addressed a vulnerability in ControlLogix, GuardLogix, and CompactLogix controllers that could cause network-wide faults. CISA has issued advisories on these vulnerabilities.

University of Illinois researchers develop autonomous AI hacking agents. 

Researchers from the University of Illinois have developed AI agents capable of autonomously hacking websites and exploiting zero-day vulnerabilities—security flaws unknown even to developers. These agents, using a system called Hierarchical Planning and Task-Specific Agents (HPTSA), collaborate like a team, with a planning agent delegating tasks to specialized agents for different vulnerabilities such as XSS and SQL injection.

Unlike traditional AI hacking methods, HPTSA agents don't need prior knowledge of specific vulnerabilities and can discover new zero-days independently. Tested on 15 real-world vulnerabilities, HPTSA successfully exploited 53% in just five attempts, outperforming conventional security scanners. Each successful exploit costs around $24 for the LLM API (GPT-4 Turbo).

This breakthrough highlights the growing threat of AI-powered cyberattacks and underscores the urgent need for advanced defensive measures in cybersecurity. The age of AI hacking is here, shifting the hacking paradigm towards more sophisticated, autonomous threats.

 

 

Coming up, we’ve got the first of the interviews captured during the AWS re:Inforce event this past week. N2K’s Brandon Karpf speaks with guest Arynn (pronounced like Erin) Crow about security through MFA and FIDO Alliance passkeys, and her work on the Digital Identity Advancement Foundation. We’ll be right back.

Welcome back. You can find links to the AWS re:Inforce conference and the Digital Identity Advancement Foundation that Arynn spoke of in the show notes. 

Can an AI run for mayor?

And finally, from our “what could possibly go wrong desk,” Victor Miller is running for mayor of Cheyenne, Wyoming, and he has a unique campaign promise: if elected, an AI bot named VIC (Virtual Integrated Citizen) will make the decisions. Miller, calling himself VIC’s “meat puppet,” will attend meetings and sign documents. VIC, based on ChatGPT, will handle policy recommendations and voting, leveraging its ability to analyze vast amounts of data quickly.

Miller's candidacy has raised legal questions, as AI bots aren't allowed to run for office. Despite this, Miller is on the ballot. Wyoming Secretary of State Chuck Gray has expressed concerns, emphasizing that only qualified electors, i.e., real people, can run for office.

Miller created VIC after experiencing frustration with local government processes and believes the AI can improve transparency and efficiency. Despite potential challenges, Miller is excited about the future and VIC’s potential to transform local governance.

If he wins, Miller may unlock a secret weapon against corruption — a mayor that can’t be bribed, only rebooted. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.